diff options
author | Repository QA checks <repo-qa-checks@gentoo.org> | 2017-02-21 00:14:56 +0000 |
---|---|---|
committer | Repository QA checks <repo-qa-checks@gentoo.org> | 2017-02-21 00:14:56 +0000 |
commit | 9e09973f92cbfed073dfb8cff7d69b442992d794 (patch) | |
tree | 001b5be8e180429654b34ca85a102ac6c1b6647b | |
parent | Merge updates from master (diff) | |
parent | Add GLSA 201702-29 (diff) | |
download | gentoo-9e09973f92cbfed073dfb8cff7d69b442992d794.tar.gz gentoo-9e09973f92cbfed073dfb8cff7d69b442992d794.tar.bz2 gentoo-9e09973f92cbfed073dfb8cff7d69b442992d794.zip |
Merge commit '13e3c79260d3a484acaf3620f484f6f4ab02614a'
-rw-r--r-- | metadata/glsa/glsa-201702-20.xml | 77 | ||||
-rw-r--r-- | metadata/glsa/glsa-201702-21.xml | 71 | ||||
-rw-r--r-- | metadata/glsa/glsa-201702-22.xml | 74 | ||||
-rw-r--r-- | metadata/glsa/glsa-201702-23.xml | 61 | ||||
-rw-r--r-- | metadata/glsa/glsa-201702-24.xml | 57 | ||||
-rw-r--r-- | metadata/glsa/glsa-201702-25.xml | 53 | ||||
-rw-r--r-- | metadata/glsa/glsa-201702-26.xml | 59 | ||||
-rw-r--r-- | metadata/glsa/glsa-201702-27.xml | 65 | ||||
-rw-r--r-- | metadata/glsa/glsa-201702-28.xml | 72 | ||||
-rw-r--r-- | metadata/glsa/glsa-201702-29.xml | 64 |
10 files changed, 653 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-201702-20.xml b/metadata/glsa/glsa-201702-20.xml new file mode 100644 index 000000000000..c1e13ce4214f --- /dev/null +++ b/metadata/glsa/glsa-201702-20.xml @@ -0,0 +1,77 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201702-20"> + <title>Adobe Flash Player: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Adobe Flash Player, the + worst of which allows remote attackers to execute arbitrary code. + </synopsis> + <product type="ebuild">flash</product> + <announced>2017-02-20</announced> + <revised>2017-02-20: 1</revised> + <bug>605314</bug> + <bug>609330</bug> + <access>remote</access> + <affected> + <package name="www-plugins/adobe-flash" auto="yes" arch="*"> + <unaffected range="ge">24.0.0.221</unaffected> + <vulnerable range="lt">24.0.0.221</vulnerable> + </package> + </affected> + <background> + <p>The Adobe Flash Player is a renderer for the SWF file format, which is + commonly used to provide interactive websites. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Adobe Flash Player. + Please review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process or bypass security restrictions. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Adobe Flash users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-plugins/adobe-flash-24.0.0.221" + </code> + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2925">CVE-2017-2925</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2926">CVE-2017-2926</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2927">CVE-2017-2927</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2928">CVE-2017-2928</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2930">CVE-2017-2930</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2931">CVE-2017-2931</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2932">CVE-2017-2932</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2933">CVE-2017-2933</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2934">CVE-2017-2934</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2935">CVE-2017-2935</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2936">CVE-2017-2936</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2937">CVE-2017-2937</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2938">CVE-2017-2938</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2982">CVE-2017-2982</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2984">CVE-2017-2984</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2985">CVE-2017-2985</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2986">CVE-2017-2986</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2987">CVE-2017-2987</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2988">CVE-2017-2988</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2990">CVE-2017-2990</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2991">CVE-2017-2991</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2992">CVE-2017-2992</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2993">CVE-2017-2993</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2994">CVE-2017-2994</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2995">CVE-2017-2995</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2996">CVE-2017-2996</uri> + </references> + <metadata tag="requester" timestamp="2017-02-16T12:43:25Z">whissi</metadata> + <metadata tag="submitter" timestamp="2017-02-20T23:44:37Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201702-21.xml b/metadata/glsa/glsa-201702-21.xml new file mode 100644 index 000000000000..68f1a9b4c5e9 --- /dev/null +++ b/metadata/glsa/glsa-201702-21.xml @@ -0,0 +1,71 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201702-21"> + <title>Opus: User-assisted execution of arbitrary code</title> + <synopsis>A vulnerability in Opus could cause memory corruption.</synopsis> + <product type="ebuild">opus</product> + <announced>2017-02-20</announced> + <revised>2017-02-20: 1</revised> + <bug>605894</bug> + <access>remote</access> + <affected> + <package name="media-libs/opus" auto="yes" arch="*"> + <unaffected range="ge">1.1.3-r1</unaffected> + <vulnerable range="lt">1.1.3-r1</vulnerable> + </package> + </affected> + <background> + <p>Opus is a totally open, royalty-free, highly versatile audio codec.</p> + </background> + <description> + <p>A large NLSF values could cause the stabilization code in + silk/NLSF_stabilize.c to wrap-around and have the last value in + NLSF_Q15[] to be negative, close to -32768. + </p> + + <p>Under normal circumstances, the code will simply read from the wrong + table resulting in an unstable LPC filter. The filter would then go + through the LPC stabilization code at the end of silk_NLSF2A(). + </p> + + <p>Ultimately, the output audio would be garbage, but no worse than with + any other harmless bad packet. + </p> + + <p>Please see the referenced upstream patch and Debian bug report below for + a detailed analysis. + </p> + + <p>However, the original report was about a successful exploitation of + Android’s Mediaserver in conjunction with this vulnerability. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to open a specially crafted media + stream, possibly resulting in execution of arbitrary code with the + privileges of the process, or a Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Opus users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/opus-1.1.3-r1" + </code> + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0381">CVE-2017-0381</uri> + <uri link="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851612#10"> + Debian Bug 851612 + </uri> + <uri link="https://git.xiph.org/?p=opus.git;a=commitdiff;h=70a3d641b"> + Upstream patch + </uri> + </references> + <metadata tag="requester" timestamp="2017-02-16T12:24:20Z">whissi</metadata> + <metadata tag="submitter" timestamp="2017-02-20T23:45:02Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201702-22.xml b/metadata/glsa/glsa-201702-22.xml new file mode 100644 index 000000000000..b18c72c2aac6 --- /dev/null +++ b/metadata/glsa/glsa-201702-22.xml @@ -0,0 +1,74 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201702-22"> + <title>Mozilla Firefox: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the + worst of which may allow execution of arbitrary code. + </synopsis> + <product type="ebuild">firefox</product> + <announced>2017-02-20</announced> + <revised>2017-02-20: 1</revised> + <bug>607138</bug> + <access>remote</access> + <affected> + <package name="www-client/firefox" auto="yes" arch="*"> + <unaffected range="ge">45.7.0</unaffected> + <vulnerable range="lt">45.7.0</vulnerable> + </package> + <package name="www-client/firefox-bin" auto="yes" arch="*"> + <unaffected range="ge">45.7.0</unaffected> + <vulnerable range="lt">45.7.0</vulnerable> + </package> + </affected> + <background> + <p>Mozilla Firefox is a popular open-source web browser from the Mozilla + Project. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please + review the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with the + privileges of the process, cause a Denial of Service condition, bypass + access restriction, access otherwise protected information, or spoof + content via multiple vectors. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Mozilla Firefox users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-45.7.0" + </code> + + <p>All Mozilla Firefox binary users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-45.7.0" + </code> + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5373">CVE-2017-5373</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5375">CVE-2017-5375</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5376">CVE-2017-5376</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5378">CVE-2017-5378</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5380">CVE-2017-5380</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5383">CVE-2017-5383</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5386">CVE-2017-5386</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5390">CVE-2017-5390</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5396">CVE-2017-5396</uri> + <uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/"> + Mozilla Foundation Security Advisory 2017-02 + </uri> + </references> + <metadata tag="requester" timestamp="2017-01-30T01:26:06Z">whissi</metadata> + <metadata tag="submitter" timestamp="2017-02-20T23:45:18Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201702-23.xml b/metadata/glsa/glsa-201702-23.xml new file mode 100644 index 000000000000..4eae1027c53b --- /dev/null +++ b/metadata/glsa/glsa-201702-23.xml @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201702-23"> + <title>Dropbear: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Dropbear, the worst of + which allows remote attackers to execute arbitrary code. + </synopsis> + <product type="ebuild">dropbear</product> + <announced>2017-02-20</announced> + <revised>2017-02-20: 1</revised> + <bug>605560</bug> + <access>remote</access> + <affected> + <package name="net-misc/dropbear" auto="yes" arch="*"> + <unaffected range="ge">2016.74</unaffected> + <vulnerable range="lt">2016.74</vulnerable> + </package> + </affected> + <background> + <p>Dropbear is an SSH server and client designed with a small memory + footprint. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Dropbear. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could possibly execute arbitrary code with root + privileges if usernames containing special characters can be created on a + system. Also, a dbclient user who can control username or host arguments + could potentially run arbitrary code with the privileges of the process. + </p> + + <p>In addition, a remote attacker could entice a user to process a + specially crafted SSH key using dropbearconvert, possibly resulting in + execution of arbitrary code with the privileges of the process or a + Denial of Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Dropbear users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/dropbear-2016.74" + </code> + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7406">CVE-2016-7406</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7407">CVE-2016-7407</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7408">CVE-2016-7408</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7409">CVE-2016-7409</uri> + </references> + <metadata tag="requester" timestamp="2017-02-05T22:53:36Z">b-man</metadata> + <metadata tag="submitter" timestamp="2017-02-20T23:45:39Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201702-24.xml b/metadata/glsa/glsa-201702-24.xml new file mode 100644 index 000000000000..1e92964d19b7 --- /dev/null +++ b/metadata/glsa/glsa-201702-24.xml @@ -0,0 +1,57 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201702-24"> + <title>LibVNCServer/LibVNCClient: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in + LibVNCServer/LibVNCClient, the worst of which allows remote attackers to + execute arbitrary code when connecting to a malicious server. + </synopsis> + <product type="ebuild">libvncserver</product> + <announced>2017-02-20</announced> + <revised>2017-02-20: 1</revised> + <bug>605326</bug> + <access>remote</access> + <affected> + <package name="net-libs/libvncserver" auto="yes" arch="*"> + <unaffected range="ge">0.9.11</unaffected> + <vulnerable range="lt">0.9.11</vulnerable> + </package> + </affected> + <background> + <p>LibVNCServer/LibVNCClient are cross-platform C libraries that allow you + to easily implement VNC server or client functionality in your program. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in LibVNCServer and + LibVNCClient. Please review the CVE identifiers referenced below for + details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could entice a user to connect to a malicious VNC + server or leverage Man-in-the-Middle attacks to cause the execution of + arbitrary code with the privileges of the user running a VNC client + linked against LibVNCClient. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All LibVNCServer/LibVNCClient users should upgrade to the latest + version: + </p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libvncserver-0.9.11" + </code> + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9941">CVE-2016-9941</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9942">CVE-2016-9942</uri> + </references> + <metadata tag="requester" timestamp="2017-02-05T22:55:00Z">b-man</metadata> + <metadata tag="submitter" timestamp="2017-02-20T23:45:56Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201702-25.xml b/metadata/glsa/glsa-201702-25.xml new file mode 100644 index 000000000000..0cedc9ab6abd --- /dev/null +++ b/metadata/glsa/glsa-201702-25.xml @@ -0,0 +1,53 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201702-25"> + <title>libass: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in libass, the worst of + which have unknown impacts. + </synopsis> + <product type="ebuild">libass</product> + <announced>2017-02-20</announced> + <revised>2017-02-20: 1</revised> + <bug>596422</bug> + <access>remote</access> + <affected> + <package name="media-libs/libass" auto="yes" arch="*"> + <unaffected range="ge">0.13.4</unaffected> + <vulnerable range="lt">0.13.4</vulnerable> + </package> + </affected> + <background> + <p>libass is a portable subtitle renderer for the ASS/SSA (Advanced + Substation Alpha/Substation Alpha) subtitle format. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in libass. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A remote attacker could cause a Denial of Service condition or other + unknown impacts via unknown attack vectors. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All libass users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libass-0.13.4" + </code> + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7969">CVE-2016-7969</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7970">CVE-2016-7970</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7971">CVE-2016-7971</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7972">CVE-2016-7972</uri> + </references> + <metadata tag="requester" timestamp="2017-02-05T23:35:59Z">b-man</metadata> + <metadata tag="submitter" timestamp="2017-02-20T23:46:16Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201702-26.xml b/metadata/glsa/glsa-201702-26.xml new file mode 100644 index 000000000000..fc86cf20f8d0 --- /dev/null +++ b/metadata/glsa/glsa-201702-26.xml @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201702-26"> + <title>Nagios: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Nagios, the worst of + which could lead to privilege escalation. + </synopsis> + <product type="ebuild">nagios</product> + <announced>2017-02-21</announced> + <revised>2017-02-21: 1</revised> + <bug>595194</bug> + <bug>598104</bug> + <bug>600864</bug> + <bug>602216</bug> + <access>local, remote</access> + <affected> + <package name="net-analyzer/nagios-core" auto="yes" arch="*"> + <unaffected range="ge">4.2.4</unaffected> + <vulnerable range="lt">4.2.4</vulnerable> + </package> + </affected> + <background> + <p>Nagios is an open source host, service and network monitoring program.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Nagios. Please review + the CVE identifiers referenced below for details. + </p> + </description> + <impact type="high"> + <p>A local attacker, who either is already Nagios’s system user or + belongs to Nagios’s group, could potentially escalate privileges. + </p> + + <p>In addition, a remote attacker could read or write to arbitrary files by + spoofing a crafted response from the Nagios RSS feed server. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Nagios users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/nagios-core-4.2.4" + </code> + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4796">CVE-2008-4796</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7313">CVE-2008-7313</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8641">CVE-2016-8641</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9565">CVE-2016-9565</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9566">CVE-2016-9566</uri> + </references> + <metadata tag="requester" timestamp="2017-01-30T01:56:03Z">whissi</metadata> + <metadata tag="submitter" timestamp="2017-02-21T00:04:00Z">b-man</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201702-27.xml b/metadata/glsa/glsa-201702-27.xml new file mode 100644 index 000000000000..e65aec7e17cf --- /dev/null +++ b/metadata/glsa/glsa-201702-27.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201702-27"> + <title>Xen: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in Xen, the worst of which + could lead to the execution of arbitrary code on the host system. + </synopsis> + <product type="ebuild">xen</product> + <announced>2017-02-21</announced> + <revised>2017-02-21: 1</revised> + <bug>607840</bug> + <bug>609160</bug> + <access>local</access> + <affected> + <package name="app-emulation/xen" auto="yes" arch="*"> + <unaffected range="ge">4.7.1-r5</unaffected> + <vulnerable range="lt">4.7.1-r5</vulnerable> + </package> + <package name="app-emulation/xen-tools" auto="yes" arch="*"> + <unaffected range="ge">4.7.1-r6</unaffected> + <vulnerable range="lt">4.7.1-r6</vulnerable> + </package> + </affected> + <background> + <p>Xen is a bare-metal hypervisor.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in Xen. Please review the + CVE identifiers and Xen Security Advisory referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A local attacker could potentially execute arbitrary code with + privileges of Xen (QEMU) process on the host, gain privileges on the host + system, cause a Denial of Service condition, or obtain sensitive + information. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All Xen users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.7.1-r5" + </code> + + <p>All Xen Tools users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-tools-4.7.1-r6" + </code> + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2615">CVE-2017-2615</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-207.html">XSA-207</uri> + <uri link="https://xenbits.xen.org/xsa/advisory-208.html">XSA-208</uri> + </references> + <metadata tag="requester" timestamp="2017-02-16T18:01:38Z">whissi</metadata> + <metadata tag="submitter" timestamp="2017-02-21T00:04:19Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201702-28.xml b/metadata/glsa/glsa-201702-28.xml new file mode 100644 index 000000000000..dc8de74927c8 --- /dev/null +++ b/metadata/glsa/glsa-201702-28.xml @@ -0,0 +1,72 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201702-28"> + <title>QEMU: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in QEMU, the worst of + which could lead to the execution of arbitrary code on the host system. + </synopsis> + <product type="ebuild">qemu</product> + <announced>2017-02-21</announced> + <revised>2017-02-21: 1</revised> + <bug>606264</bug> + <bug>606720</bug> + <bug>606722</bug> + <bug>607000</bug> + <bug>607100</bug> + <bug>607766</bug> + <bug>608034</bug> + <bug>608036</bug> + <bug>608038</bug> + <bug>608520</bug> + <bug>608728</bug> + <access>local</access> + <affected> + <package name="app-emulation/qemu" auto="yes" arch="*"> + <unaffected range="ge">2.8.0-r1</unaffected> + <vulnerable range="lt">2.8.0-r1</vulnerable> + </package> + </affected> + <background> + <p>QEMU is a generic and open source machine emulator and virtualizer.</p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in QEMU. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>A local attacker could potentially execute arbitrary code with + privileges of QEMU process on the host, gain privileges on the host + system, cause a Denial of Service condition, or obtain sensitive + information. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All QEMU users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.8.0-r1" + </code> + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10155"> + CVE-2016-10155 + </uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2615">CVE-2017-2615</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5525">CVE-2017-5525</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5552">CVE-2017-5552</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5578">CVE-2017-5578</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5579">CVE-2017-5579</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5667">CVE-2017-5667</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5856">CVE-2017-5856</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5857">CVE-2017-5857</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5898">CVE-2017-5898</uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5931">CVE-2017-5931</uri> + </references> + <metadata tag="requester" timestamp="2017-02-16T18:41:09Z">whissi</metadata> + <metadata tag="submitter" timestamp="2017-02-21T00:04:45Z">whissi</metadata> +</glsa> diff --git a/metadata/glsa/glsa-201702-29.xml b/metadata/glsa/glsa-201702-29.xml new file mode 100644 index 000000000000..d6e26f8aa7f6 --- /dev/null +++ b/metadata/glsa/glsa-201702-29.xml @@ -0,0 +1,64 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="201702-29"> + <title>PHP: Multiple vulnerabilities</title> + <synopsis>Multiple vulnerabilities have been found in PHP, the worst of which + could lead to arbitrary code execution or cause a Denial of Service + condition. + </synopsis> + <product type="ebuild">php</product> + <announced>2017-02-21</announced> + <revised>2017-02-21: 1</revised> + <bug>604776</bug> + <bug>606626</bug> + <access>remote</access> + <affected> + <package name="dev-lang/php" auto="yes" arch="*"> + <unaffected range="ge" slot="5.6">5.6.30</unaffected> + <vulnerable range="lt" slot="5.6">5.6.30</vulnerable> + </package> + </affected> + <background> + <p>PHP is a widely-used general-purpose scripting language that is + especially suited for Web development and can be embedded into HTML. + </p> + </background> + <description> + <p>Multiple vulnerabilities have been discovered in PHP. Please review the + CVE identifiers referenced below for details. + </p> + </description> + <impact type="normal"> + <p>An attacker could possibly execute arbitrary code or create a Denial of + Service condition. + </p> + </impact> + <workaround> + <p>There is no known workaround at this time.</p> + </workaround> + <resolution> + <p>All PHP 5.6 users should upgrade to the latest version:</p> + + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-5.6.30:5.6" + </code> + </resolution> + <references> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10158"> + CVE-2016-10158 + </uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10159"> + CVE-2016-10159 + </uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10160"> + CVE-2016-10160 + </uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10161"> + CVE-2016-10161 + </uri> + <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9935">CVE-2016-9935</uri> + </references> + <metadata tag="requester" timestamp="2017-01-18T23:06:15Z">b-man</metadata> + <metadata tag="submitter" timestamp="2017-02-21T00:05:07Z">whissi</metadata> +</glsa> |